CVE-2011-5064

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

Published Bycve@mitre.org

Published DateJan 14, 2012, 21:55

Affected Versions(3)

org.apache.tomcat:tomcat(Maven)

Introduced5.5.0

Fixed5.5.34

LimitN/A

org.apache.tomcat:tomcat(Maven)

Introduced6.0.0

Fixed6.0.33

LimitN/A

org.apache.tomcat:tomcat(Maven)

Introduced7.0.0

Fixed7.0.12

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.tomcat:tomcat(Maven)	5.5.0	5.5.34	N/A
org.apache.tomcat:tomcat(Maven)	6.0.0	6.0.33	N/A
org.apache.tomcat:tomcat(Maven)	7.0.0	7.0.12	N/A

Weakness Type (CWE):CWE-310

CVSS Metrics

Base Score

4.3

Vector String

AV:N/AC:M/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE

References

Weakness Type (CWE):CWE-310

CVSS Metrics

Base Score

4.3

Vector String

AV:N/AC:M/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE